xssed trouble...

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-10-08 14:26

OK Basically when I submit a xss link to xssed.com and it uses POST for some reason it never shows up....So I was wondering am I doing this right?:
NAME:SaMTHG
URL:http://www.the_xss_vulnsite.com/search.php
POST:"><script>alert("XSS")</script>
IMG:The verification numbers/letters

Because I've now submitted at least 15 different sites using POST and none have shown up..only those that have the XSS in the URL. Thanks

Edit:
I wish hbh would filter ampersands so I wouldn't have to type out all of the ampersands with &amp;

Edited by on 05-10-08 11:16

Author

RE: xssed trouble...

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 05-10-08 12:36

I know how XSS works I'm just wondering if I only put in <script>alert(stuff here)</script> and on the site I used the XSS on I used "><script>alert(stuff here)</script> and it works and doesn't work without the "> then what do the staff of xssed do???

Author

RE: xssed trouble...

Posts: 586Location: He is back and he's bad!Joined: 25.11.07 Rank: Mad User

Posted on 05-10-08 12:49

SaMTHG wrote:
I know how XSS works I'm just wondering if I only put in <script>alert(stuff here)</script> and on the site I used the XSS on I used "><script>alert(stuff here)</script> and it works and doesn't work without the "> then what do the staff of xssed do???

It's already been explained. Usually the input will be echoed in the page as for example <input type="text" value=$input>, or I don't know even <a href=$input>something</a>.
if you input just <script>alert(/xsss/)</script> it will result in <input type="text" value="<script>alert(/xsss/)</script>">,thus not being executed, because you are still within the <input> tag.
But if you use "><script>alert(/xsss/)</script> you end up with <input type="text" value=""><script>alert(/xsss/)</script>"> so input tag is properly ended and then your script inserted and executed.
Whereas if the input was echoed just like <b>$input</b>, you could use just <script>alert(/xsss/)</script>, because when the input is echoed, it's not within any other tag, therefor no need to end one--> <b><script>alert(/xsss/)</script><b>

[img][/img]

spyware - "They see me trollin'..."<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl

RE: xssed trouble...

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 05-10-08 12:54

I think it should be done like this:
For example if there is a login screen and when you input some xss
use livehttpheaders and see how it sends it.
Then use that part to submit the xss to xssed.
Example:

RE: xssed trouble...

It just depends on the script. sometimes you need it, other times you don't. I have noticed that you need it on the more basic ones, But thats not to say that you may not need it for another one that left that part out.

Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.

Author

RE: xssed trouble...

yours31f wrote:
It just depends on the script. sometimes you need it, other times you don't. I have noticed that you need it on the more basic ones, But thats not to say that you may not need it for another one that left that part out.

DISREGARD ELEMENTAL PROOF. 50% CHANCE ON EVERYTHING!

"The chowner of property." - Zeph

[small]

�Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.� - Carl Sagan

[center]�Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?� - Ebert[/ce